My title says Security Architect. My work says something else.

I configure IAM, define policies, run scans, respond to vulnerabilities. This is critical work.

But is this architecture?

Why Do I Believe I’m an Architect?

• I hold security certifications

• I design access policies and controls

• I run audits and compliance checks

• My role is titled “Security Architect”

What this actually means - I operate strongly in P5 (implementation) and P6 (operations/governance).

What I Actually Do

• Configure IAM / access controls

• Define encryption / key management

• Run vulnerability scans

• Monitor incidents and compliance

All essential. But structurally:

The Structural Distinction

Security architecture would define:

• P1: risk appetite, control objectives

• P2: how controls apply across processes

• P3: how rules interact with application logic, data, and timing

• P4: security components and boundaries

Controls enforce it. They don’t define it.

Case — Access Control Drift

Requirement Change : Consistent access policy across applications and regions.

What exists: IAM policies, role-based access, audits

What’s missing: 

P2 sequencing across onboarding → usage → revocation;

P3 interaction with app logic and data sensitivity;

P4 component boundaries for identity and access

Impact:

• Access inconsistencies across apps

• Audit exceptions repeat

• Remediation cycles 2–3× longer

• Rework 25–40%

The controls are correct.The system is not architected.

Then Where Is the Architect?

If I manage controls and I’m called an architect…

Chief Architect Exit

When definition is absent:

Financial Exposure

• Change cost ↑ 15–30%

• Rework ↑ 25–40%

• Audit/exception cycles ↑

Diagnostics note